A cyber attack traceback technique means a technique that can trace the position of an actual hacker, that is, a source site of an attack even though the position of an attack system and the position of a hacker that attempts actual hacking are different from each other. The traceback technique in the related art researches various algorithms according to a communication environment and a connection method and may be generally divided into TCP connection traceback and IP traceback techniques according to the connection method.
The IP traceback technique as a technique that analyzes a log which remains in an attacked system to trace the position of an attacker by a trace thereof because the IP traceback technique uses a non-connection directional communication method includes a proactive method through insertion of trace related information into header and payload portion of an IP packet and a reactive method through traffic monitoring and filtering.
TCP connection traceback as a traceback technique used in a connection directional communication method by using a feature of a TCP communication method is primarily classified into a method based on a feature of a connection chain for communication, that is, network router equipment or a host PC.
In the case of the two methods, that is, the IP based traceback and the TCP connection based traceback, overhead exists, which should monitor all network traffic packets and communication connections and in particular, it is disadvantageous that further tracing is impossible via network equipment (e.g., a router) or another Internet service provider (ISP) which does not provide a tracing function. Further, since data are transmitted to and received from intermediate hosts while attacking through the connection chain in an application layer, tracing in a network layer becomes impossible.
Since various tracing methods proposed up to now should endure overhead in which an additional system for an ISP (Internet Service Provider) to mount an additional function on the router or perform monitoring should be installed, the various tracing methods may be theoretically possible, but a possibility that the various methods will be actually used may be low.
Cyber target attacks which have occurred in recent years may be significantly difficult to trace the source site because most methods for hiding attack source sites through various hopping sites are provided. Accordingly, a technique that traces a source site of an attacker that goes via various sites is particularly required while network overhead such as addition of new equipment or a change of a standard of an IP protocol does not exist.